Contents
User Manual Part 2
Enabling Radios & MIMO Operation Enabling Radios & MIMO Operation Aclara 5900 Series nodes ship with one 900 MHz radio and one radio capable of operation on 2.4, 4.9, or 5 GHz. This multi-band radio can be upgraded to 802.11n (MIMO operation, if desired. (The 900 MHz radio does not support MIMO.) Firetide HotPort 7000 Series nodes used as part of the STAR system can be ordered with a single 900 MHz radio, or a dual radio configuration similar to the Aclara 5900. In either case, you may need to use a software license key to active the second radio, or activate the MIMO option. This chapter explains how. Meshes which have some nodes enabled for 802.11n will use this mode between themselves, but will communicate with other nodes in the mesh using 802.11a or g. You must purchase license keys and enter them into the Licensing tab of the HotView Pro Server Configuration screen. Request a Permanent License and import it before beginning node upgrade. If you are not familiar with the process, refer to the software installation reference guide for details. Figure 5.46 shows the licensing tab for a server that has had several dualradio and Wireless-N (MIMO) licenses added. To upgrade a node, begin by selecting the type of upgrade you wish to perform. This example shows a dual-radio upgrade. Next, click on the HotPort List button. Figure 5.46 Enabling the Second Radio Select the license type for the type of upgrade you wish to perform - Dual Radio or Wireless-N. 37 38 HotView Pro Software Operation Figure 5.47 Selecting Nodes to Upgrade The left side of the screen shows the nodes that have already been upgraded. The right side shows nodes available for upgrade. To upgrade a node on the right, select it and click on Add. If the node you wish to upgrade does not appear, cancel and trouble-shoot the problem. A node must be connected to be upgraded. Figure 5.48 Ready for Upgrade The nodes to be upgraded have been added to the left side. Click Save. You will see a confirmation dialog. Click Yes to proceed. Second-radio upgrades and 802.11n upgrades are permanent. Make sure you are upgrading the correct nodes. MIMO Upgrades 802.11n (MIMO upgrades) are performed the same way. Keeping the Mesh Secure Keeping the Mesh Secure By default, a Firetide mesh is open; this makes initial configuration easy. Most applications, however, will want a higher level of security. Firetide offers a number of features that allow you to implement various levels of security. These security features fall into three categories: • Radio security • Mesh connection security • User security Firetide HotPort 7000 Series nodes are FIPS 140 compliant. Both the HotPort 7000 Series and HotPort 6000 Series nodes are FIPS 180-3, FIPS 186-2, and FIPS 197 compliant. Radio Security Successful eavesdropping can be prevented by enabling 256-bit AES encryption over the radio links. An additional end-to-end encryption layer can also be added, if desired. The ESSID can be encrypted, in order to keep casual eavesdroppers from detecting equipment presence Mesh Connection Security Normally, a node will join a mesh if the basic mesh settings are the same. To prevent unknown nodes from joining the mesh, you must change the default mesh settings. You can also disable unused Ethernet ports (or ones in use, for that matter), and also set alarms to detect a change in state of any port. This prevents the connection of unauthorized equipment. If desired, you can restrict mesh traffic to that traffic which originates on a pre-defined set of Ethernet MAC addresses. This is a powerful, but somewhat tricky tool. For ultra-high security applications, you can enable a feature which uses digital signatures to prevent a mesh node from joining a mesh until it is explicitly approved to do so. User Security All security is worthless if unauthorized users can access HotView Pro itself and modify settings. HotView Pro permits to define multiple levels of user access and authority. 39 40 HotView Pro Software Operation Radio Security Figure 6.49 Enabling Radio Encryption Over-the-air traffic should be encrypted using the built-in 256-bit AES encryption engine. Select either hex or ASCII key formats, and enter the key string. The encryption is performed in hardware, and there is no measurable performance impact. Figure 6.50 End-to-End Encryption You can enable a second level of encryption for the maximum possible security; however this can imposes a small throughput penalty on very fast links (>50 Mbps) on HotPort 7000 Series nodes. Keeping the Mesh Secure Mesh Connection Security Mesh Connection security covers all of the available techniques used to prevent an intruder from either adding a node to the mesh, or making a wired Ethernet connection to an existing mesh node. There are several facets to mesh intrusion prevention. These are: Blocking Unauthorized Nodes In even the simplest, low-security applications, you should always change the basic mesh parameters: mesh ID number, mesh name, mesh IP address, and mesh ESSID. You should also enable radio encryption. You can prevent unauthorized nodes from joining the mesh. To do this, you must enable the high security mode in HotView Pro. Note that this is system-wide; you cannot have some meshes at high security and other meshes at low security. Figure 6.51 shows the Security tab within the HotView Pro Server Configuration window. High Security has been selected. Figure 6.51 High Security Mode When High Security is selected, you have three options: trust all; pre-trust existing, and require confirmation for all. For the pre-trust option, you must enter the serial numbers for each existing node. Typically, a mesh is configured and deployed before high-security is enabled; this is much simpler. Once the system has been deployed and is ready to be placed into production service, high security is enabled and the serial numbers are entered manually, as shown in Figure 6.51. Figure 6.52 Adding a Trusted Node When a new node attempts to join the mesh, a dialog window will appear, requesting permission. 39 42 HotView Pro Software Operation Limiting Unauthorized Connections It is possible for unauthorized users to attach equipment to the existing mesh. There are two steps you can take to prevent this: • Disable unused Ethernet ports. • Create an automatic alarm/e-mail alert if an Ethernet port is tampered with. Figure 6.53 Active and Disabled Ethernet Ports The icon on the left shows an outdoor node with one port in use (green) and two active, but unused ports (yellow). On the right, the two unused ports are gray - they have been disabled. The status of every port on the mesh is visible on each node, as shown in Figure 6.53. Disabled ports are just that; disabled - if you connect to one, it will not respond in any way. (This can be a source of frustration when troubleshooting a problem. If a connection does not seem to be working, check to be sure the port is enabled.) To disable (or re-enable) an Ethernet port, right-click on the node and select Configure Node Port > Port Configuration. Then modify the port settings as desired. Figure 6.54 Disabling Ports Individual Ethernet ports may be disabled, as shown. Port Change Alarms An intruder could still potentially gain access to the mesh by unhooking an existing devices, such as a camera or access point, and connecting in its place. This cannot be prevented (except by physical means) but it can be detected, using Hot View Pro’s alarm capability. Refer to the chapter on alarms to learn how to trigger an alarm on any change of state of any wired Ethernet port. Keeping the Mesh Secure MAC Address Filtering MAC Address Filtering is a powerful but dangerous tool. It simply blocks all Ethernet frames from traversing the mesh, except those which have a permitted source MAC address. It is critical to make sure that ALL necessary MAC addresses are added to the list; in particular the MAC address of the HotView Pro server and/or any intervening switches, routers, or other equipment. Failure to do so will cut you off from the mesh; you will need to factory-reset all nodes in order to recover. It’s best to include the MAC addresses of one or two ‘spare’ machines on site, just is case a problem develops with the primary HotView Pro machine. The MAC Address filtering command can also be used to block specific MAC addresses. This has limited security use, but can be helpful in disabling any misbehaving hardware on the mesh. Figure 6.55 MAC Address Filtering Use this window to enter the MAC addresses to be permitted on the mesh. Be sure to include the address of the HotView Pro server. 39 44 HotView Pro Software Operation User Security Figure 6.56 Mesh Login Credential - Mesh HotView Pro connects to the mesh using the mesh’s User Account login credential, shown here. You should change the Read/Write user name and password. The default values are admin and firetide. Figure 6.57 Mesh Login Credential - HotView Pro Server After changing the mesh login credential on the mesh itself, you must tell HotView Pro what the new credential is. Do so via the HotView Pro Server Configuration menu, as shown. It is also necessary to limit human access to the mesh; in particular to HotView Pro. This is a multi-step process. You must: • Re-define the login credential that is used to access the mesh itself. • Define user login credentials for each human user. Keeping the Mesh Secure Defining Human Users Human users of HotView Pro are defined as part of HotView Pro Server Configuration. Two default users are pre-defined, hv_admin and hv_guest. The default user hv_admin has full privileges on all meshes and system administration privileges; the default user hv_guest is read-only. There are three assignable privileges for each user: • Server Configuration Granting this privilege allows the user to configure the HotView Pro Server, and add other users. This is effectively a super-user level. Options are deny access or admin access. • Default Access This parameter defines the access level given to the user for all new meshes created; that is, ones not already shown in the mesh list. Options are: deny access, read-only, or read-write. This parameter lets you specify the access level • Access Privileges for each existing mesh, controller, and AP groups. Options are: deny access, read-only, or read-write. Figure 6.58 User Definitions Users can be assigned different privilege levels on a mesh-by-mesh basis. This provides a high degree of flexibility, especially in multi-tenancy applications. Here, a new user (grenley) has been created, and has been assigned administrative access to HotView Pro, as well as read-write access to all current and future meshes. When creating all-access user accounts be sure to use the Select Access Type drop down to assign read-write access for Controllers and AP Groups as well. 39 46 HotView Pro Software Operation Figure 6.59 User Lockout In high-security mode, you can specify a maximum number of login attempts. Exceeding this level will lock the user out. The user will remain locked out for the lockout period. If this is set to 0, the user will be locked out until he is manually unlocked. Figure 6.60 Remote Access User Configuration HotView Pro allows remote access via telnet or SSH to each node in the mesh. The access credentials for this should be either disabled or changed. Use HotPort Users Configuration, under the Mesh menu, to do this. Configuring an Ethernet Direct Connection Configuring an Ethernet Direct Connection An Ethernet Direct connection is a wired connection between two nodes in the same mesh. (There can be wired connections between meshes, but these are not Ethernet Direct.) Ethernet Direct is commonly used between nodes that are relatively close together, but may not be in RF contact. Typically this occurs with nodes which are mounted on a building roof or tower, and use direction antennas to cover the landscape. The mesh treats an Ethernet Direct as if it were simply another radio link between nodes. Ethernet Direct offers three advantages: • It is faster than a radio link - nominally 1 Gbps. • It is full-duplex; radios are half-duplex. • It does not tie up spectrum or radios; allowing them to continue to carry other traffic. Setting up an Ethernet Direct is easy. Begin by selecting the Ethernet Direct option from the Mesh menu. A window appears. You will use this window to define a tunnel that will carry the traffic between the nodes. Figure 7.61 Ethernet Direct Initial Data Entry Begin by entering a name for the Ethernet Direct tunnel; then select the node from the drop-down list of nodes on the mesh. Select the wired port that you will use. DO be sure to pick the Ethernet port you plan to use. It is common to use port 1, because this is the non-PoE port. This leaves the PoE port available for cameras, APs, or other equipment. DO NOT connect a wire between the nodes. That is the last step. You’ll need to create two tunnel endpoint IP address for this. They must be unique; typically two values are selected from the same subnet. Enter the selected tunnel IP address information, and specify the link capacity. A correct link capacity helps the mesh load balance better. The link can be encrypted if necessary. Finally, click Add, but do NOT click Save. 47 48 HotView Pro Software Operation Figure 7.62 Far-End Tunnel Endpoint At the top of the window, select the blue text - this is the first tunnel endpoint. It will highlight, as shown. Click on mirror. The IP addresses at the bottom fill in, but are reversed for near and far ends. Select the node for the other end of the tunnel, and select the port. Next, fill in the subnet mask and default gateway, then click add again. Configuring an Ethernet Direct Connection Figure 7.63 Completed Tunnel When you have completed the data entry for both ends of the tunnel, and clicked Add, the tunnel text will turn green. It is now time to click Save. It is also time to complete the wired connection between the two nodes. Make sure you complete the wired connection to the ports shown in the Ethernet Direct tunnel listing. Figure 7.64 Completed Ethernet Direct A green line will appear between the nodes when the Ethernet Direct connection is operating correctly. 47 50 HotView Pro Software Operation Tearing Down an Ethernet Direct Connection If the Ethernet Direct connection is not needed, it can easily be removed. Simply go to the Ethernet Direct setup window via the Mesh menu, select the tunnel to be removed, and click on Remove. You will see a warning message. Figure 7.65 Ethernet Direct Port Disable Warning When you tear down an Ethernet Direct connection, the ports involved will be disabled. Remove the wired connection, if you have not done so already. Then reenable the Ethernet ports. This is done by right-clicking on each node and selecting the Port Configuration command. Figure 7.66 Disabled Port Indication A node with a disabled Ethernet port will show a gray dot, instead of a yellow (enabled) or green (in use) dot. Creating Gateway Groups Creating Gateway Groups Gateway groups provide redundant, load-balancing connections between a wireless mesh and the wired infrastructure. There are two key elements in a Gateway Group: the Gateway Interface nodes and the Gateway Server. The Gateway Interface nodes act as the gateways between the wireless world and the wired world. There are at least two, for redundancy, and there can be as many as eight. Gateway interface nodes are 5900 series nodes. The Gateway Server is the controlling device for all Gateway Interface nodes. It manages the traffic, load-balances, and is responsible for broadcast and multicast containment. The Gateway Server node must be a 7000. HotPort Mesh Gateway Interface Node Gateway Interface Node Wired Network Gateway Interface Node Gateway Interface Node Server Room Gateway Server Logically, the Gateway Group consists of tunneled connections between the Gateway Interface nodes and the Gateway Server. Setting up a Gateway Group consists primarily of creating these tunnels. Note: the Gateway Server is a single point of failure in the system, so it should be installed in a computer or server room, backed up by a UPS. It is possible to configure a redundant backup Gateway Server, if desired. Figure 8.67 Basic Gateway Group The Gateway Group consists of the Gateway Server, located in a safe, benign environment, and the Gateway Interface nodes, located in the field as part of the mesh. In this example, there are four Gateway Interface nodes positioned throughout the mesh. 51 52 HotView Pro Software Operation Steps to Create a Gateway Group There are seven basic steps involved in creating a Gateway Group. Figure 8.68 Creating a Gateway Server Node Right-click on the node you wish to re-configure, and select the Configure this node as a Gateway Server... 1. Use the Import Mesh Configuration command to make a current copy of the mesh configuration for the mesh to which you are adding the Gateway Group. 2. Using a new node, switch its operated mode from normal operation to Gateway Server. 3. Tell this new Gateway Server node which mesh it is to be the Gateway Server for. 4. Configure the tunnel IP addresses and other key information in the Gateway Server. 5. Manually configure one node, already on the mesh, to be a Gateway Interface node. 6. Disconnect the existing mesh connection; connect the new Gateway Interface node and the Gateway Server node together via a switch. 7. Now that the Gateway Server is talking to the mesh, instruct it to inform the other Gateway Interface nodes of the relevant tunnel parameters. Each of these basic steps consist of several sub-steps. Step 1: Import the Mesh Configuration Import the current mesh configuration from the current mesh, and save the file where you can find it later. Log out of the mesh and physically disconnect from it. Step 2: Switching the Operating Mode of a Node Set up a new (or otherwise unused) node on the bench, and apply power. After one minute or so, it should respond to pings at 192.168.224.150. If it doesn’t, reset it with a paperclip or similar. Using HotView Pro, connect to this one-node “mesh” at 192.168.224.150. If a Country Code warning appears, you can ignore it. Figure 8.69 Gateway Server Icon If you did the reconfiguration right, it will look like this: Right-click on the node, and select Re-Configure this Node to... and select the flyout Configure This Node as a Gateway Server. You will see a warning message; then the node will reboot. Log out of the mesh. The node IP address will still be 192.168.224.150. When the reboots, use the Add Mesh command to re-connect to the node. Creating Gateway Groups Step 3: Tell the New Gateway Server Node Which Mesh it is the Gateway Server For Use the Apply Saved Mesh Configuration command to do this. Note: it is a common error to skip this step; the Gateway Group will not work if you have not done this. Note that this will change the Mesh IP address; you will need to log out of the mesh, and then add the mesh back at the new address. Step 4: Configure the Tunnel IP Addresses and Other Information Right-click on the Gateway Server node and select Gateway Configuration. From the flyout menu, select Gateway Server Settings. Begin by configuring the Gateway Server tunnel IP addresses, in the left half of the window, as shown in Figure 8.70. Figure 8.70 Gateway Server Settings, Part One This window lets you configure all tunnel IP addresses and other key parameters for the Gateway Group. In this example, the Gateway Group has been named, and the IP address for the Gateway Server end of the tunnels has been entered. Next, on the right side of the window, enter the IP addresses for the tunnel endpoints that will terminate at the Gateway Interface nodes (referred to here as members). The Member Link Capacity drop-down lets you specify the data rate of the connection between the Gateway Interface node and the wired backbone. While the nodes themselves operate at 1 Gbps, the backhaul link may be slower. Setting the link capacity helps the Gateway Server do a better job of load balancing. Figure 8.71 Gateway Server Settings, Part Two Here, two sets of tunnel IP addresses have been entered, simply by typing them in and clicking on the Add button. There is no need (yet) to worry about which Gateway Interface node gets which tunnel address. You can have up to 16 Gateway Interface nodes, and you can enter all the addresses now, if you wish. 53 54 HotView Pro Software Operation Step 5: Manually Configure the First Gateway Interface Node Log out of the one-node Gateway Server “mesh”, and physically disconnect from it. Physically connect to the original mesh again. Use the Add Mesh command to re-connect to it. Figure 8.72 Gateway Interface Settings Right-click on one of the nodes that will be a Gateway Interface node, but is NOT the current head node. Tick the Enable Gateway Interface box, and enter the tunnel IP address in the Member IP address field. Complete the other fields, including the port to be used. Next, enter the Gateway Server tunnel IP address in the field at the bottom. Click Save. Step 6: Switch the Wires Around Log out of the mesh. Disconnect the wire from the head node to the switch. Connect the Gateway Server node to the switch, then connect the Gateway Interface node you just configured to the switch. Use the Add Mesh command to re-connect to the mesh. It should look like Figure 8.73 Figure 8.73 First Gateway Group Link Up If you did everything correctly, there will be a solid green line between the Gateway Server node and the Gateway Interface node. Creating Gateway Groups Step 7: Gateway Server Configures the Gateway Interface Nodes Now that the Gateway Server is in communication with the mesh, it can automatically configure other Gateway Interface nodes. To tell it to do so, right-click on the Gateway Server node and bring up the Gateway Server Configuration window. Note that one of the Gateway Interfaces is already configured, but the others are not. Figure 8.74 Gateway Server Settings Select the Gateway Interface that is not yet configured, and tick the box below it that says Configure Interface with HotPort WAN Node. Select the desired node from the dropdown that appears. Click Apply. Repeat as required, then click Save. When you have completed configuring the remaining Gateway Interface nodes, connect them to the switch. When you are done, your mesh should look like Figure 8.75. Figure 8.75 Completed Gateway Group This shows a typical Gateway Group with two Gateway Interface nodes. 55 56 HotView Pro Software Operation Multicast 10 Multicast Multicast is a layer-3 protocol widely used for audio and video distribution. It is also used for various zero-configuration protocols, such as Bonjour. Multicast, while a layer-3 protocol, also affects layer 2, because it uses a special range of Ethernet MAC addresses. Certain characteristics of the 802.11 family of wireless protocol are affected by these addresses, so it is necessary to either block all multicast traffic or configure your Firetide mesh to handle Multicast traffic with maximum efficiency. Briefly, Multicast packets have an IP address in the range of 224.0.0.0 to 239.255.255.255. These packets will be carried in Ethernet frames with MAC addresses in the range of 01:00:5E:00:00:00 - 01:00:5E:7F:FF:FF. Further details on Multicast addressing can be found at the end of this chapter. Multicast and 802.11 Wireless Protocols Multicast presents a challenge for a wireless access point, because the AP does no have a good way of know which client is the intended recipient, or how good the wireless connection is. The 802.11 standards committee elected to simplify this problem by requiring the radio to slow down to its lowest modulation rate (e.g. 6 Mbps for 802.11g) and send the Ethernet frame to all clients. This is simple and reliable but not very efficient. It means that the entire mesh will slow down, dramatically, even if there is only a modest amount of Multicast traffic. To preserve maximum wireless speed, Firetide offers an option to encapsulate Multicast traffic inside conventional Unicast frames, which can then be sent precisely where they need to be at full radio speed. Firetide also offers an option to simply block all multicast traffic. Many installations do not require support for Multicast traffic across the mesh; this option is a simple solution. Systems which must support Multicast need to create one or more Multicast Groups. Figure 9.76 Disabling Multicast If your network does not require Multicast support (and many don’t) you should disable Multicast. This can be done by clicking on the Mesh menu and selecting Multicast Groups. 57 58 HotView Pro Software Operation Creating a Multicast Group First, determine which Multicast IP addresses will be in use on the mesh. It is possible to configure the system to allow all Multicast, but this may not give the same performance if there is ‘random’ Multicast traffic present. You should also identify the nodes which represent the source of the Multicast traffic (typically the camera nodes) and the destination (usually the head node or the Gateway Interface nodes. Figure 9.77 Creating a Multicast Group Once you have identified the Multicast IP addresses to be used, select the Multicast Groups command from the mesh menu, and the click on New Multicast. This opens a window in which you can specify the IP address and the nodes which need to participate. You will create a Multicast Group for each Multicast IP address in use. Figure 9.78 New Multicast Window Here, you can specify the IP address for the Multicast group, and add the required nodes to the group. Figure 9.79 A Completed Multicast Group The exit node and the source node for this IP Multicast group have been added. Repeat this process for each Multicast group you plan to use. An example of a multiple-Multicast setup is shown in Figure 9.80. Multicast Figure 9.80 Completed Multicast Groups Here, three Multicast groups have been defined. Allowing All Multicast You can also allow all Multicast traffic to or from either all nodes, or a subset thereof. This is recommended only if you do not know what the Multicast IP address groups will be. Figure 9.81 Allowing All Multicast Traffic This can include all nodes, or a selected subset. Removing a Multicast Group To remove a Multicast group, select Edit Multicast and remove all the nodes from the group. 57 60 HotView Pro Software Operation Figure 9.82 Reserved Addresses These tables show the reserved addresses used for various Multicast functions and Ethernet MAC addresses. This information may be of use in troubleshooting Multicast problems. IP Address Reserved Function 224.0.0.0 Base address (reserved) 224.0.0.1 All Hosts multicast group addresses all hosts on the same network segment. 224.0.0.2 All Routers multicast group addresses all routers on the same network segment. 224.0.0.4 Used in the Distance Vector Multicast Routing Protocol (DVMRP) to address multicast routers. 224.0.0.5 All OSPF Routers address is used to send Hello packets to all OSPF routers on a network segment. 224.0.0.6 All D Routers address is used to send routing information to designated routers on a segment. 224.0.0.9 RIP version 2 group address is used to send routing information to all RIP2-aware routers on a segment. 224.0.0.10 EIGRP group address is used to send routing information to all EIGRP routers on a network segment. 224.0.0.13 Protocol Independent Multicast (PIM) Version 2 224.0.0.18 Virtual Router Redundancy Protocol (VRRP) 224.0.0.19 - 21 IS-IS over IP 224.0.0.22 Internet Group Management Protocol (IGMP) Version 3 224.0.0.102 Hot Standby Router Protocol version 2 (HSRPv2) / Gateway Load Balancing Protocol (GLBP) 224.0.0.107 Precision Time Protocol version 2 peer delay measurement messaging 224.0.0.251 Multicast DNS (mDNS) address 224.0.0.252 Link-local Multicast Name Resolution (LLMNR) address 224.0.1.1 NTP clients listen on this address for protocol messages when operating in multicast mode. 224.0.1.39 AUTO-RP-ANNOUNCE address is used by RP mapping agents to listen for candidate announcements. 224.0.1.40 AUTO-RP-DISCOVERY address is destination address for RP mapping agent to discover candidates. 224.0.1.41 H.323 Gatekeeper discovery address 224.0.1.129 - 132 Precision Time Protocol version 1 time announcements 224.0.1.129 Precision Time Protocol version 2 time announcements 224.0.1.133239.255.255.255 Available for Multicast Groups Ethernet multicast address Type Field Usage 01-00-0C-CC-CC-CC 0x0802 CDP (Cisco Discovery Protocol), VTP (VLAN Trunking Protocol) 01-00-0C-CC-CC-CD 0x0802 Cisco Shared Spanning Tree Protocol Address 01-80-C2-00-00-00 0x0802 Spanning Tree Protocol (for bridges) IEEE 802.1D 01-80-C2-00-00-08 0x0802 Spanning Tree Protocol (for provider bridges) IEEE 802.1AD 01-80-C2-00-00-02 0x8809 Ethernet OAM Protocol IEEE 802.3ah 01-00-5E-xx-xx-xx 0x0800 IPv4 Multicast (RFC 1112) 33-33-xx-xx-xx-xx 0x86DD IPv6 Multicast (RFC 2464) VLANs 11 VLANs Virtual LANs are created to provide segmentation and isolation services that would otherwise be implemented using physically-distinct Ethernet switches, with routers as the sole interconnect between LAN segments. Figure 10.83 shows three subnets, each isolated by virtue of being on its own switch. A router interconnects them. This provides the desired traffic isolation and security, but it is inflexible because it is implemented in hardware. Router provides layer-3 connectivity Subnet 192.1.24.0/24 Subnet 172.1.1.0/24 Subnet 10.13.54.0/24 Figure 10.84 show how this can be implemented using VLANs. The switch is programmed to isolate the traffic into three separate groups. A VLAN trunk carries the traffic to the router, which, provides the interconnection among the three VLANs. Security is maintained because, by definition, switches may not bridge IP traffic between VLANs as it would violate the integrity of the VLAN broadcast domain. Router provides layer-3 connectivity Figure 10.83 LANs Three Separate In this example, there are three isolated LANs, each with its own range of IP addresses. The router is the sole connection among the LANs. Ethernet frames on one LAN are not visible on the others. This provides security and reduces total traffic volume. Figure 10.84 VLAN Implementation of Three Separate LANs Here, a VLAN-capable switch has been used to create three separate LAN segment. A VLAN trunk connects all three VLANs to the router with a single wire. Subnet 192.1.24.0/24 Subnet 172.1.1.0/24 Subnet 10.13.54.0/24 VLANs are layer 2 constructs; IP subnets are layer 3 constructs. IEEE 802.1Q is the standard that defines a system of VLAN tagging for Ethernet frames and the procedures to be used by switches in handling such frames. The standard also provides for a quality of service prioritization scheme commonly known as IEEE 802.1p. 61 62 HotView Pro Software Operation VLAN Terminology Most common computer equipment is not VLAN-aware; that is, it is not capable of generating VLAN-tagged traffic. This untagged traffic gets a tag added to it by the Ethernet switch. Access Points are one of the varieties of network equipment which can create tagged traffic. One of the most common uses of VLANs is to isolate 802.11 wireless APs from each other, especially if the APs serve different classes of users. This is particularly common when using virtual APs - systems where one physical 802.11 base station acts as several APs. An example is shown in Figure 10.85. Three virtual APs have been created; one for employees, one for guests, and a high-security one for finance. The three virtual APs are represented as three tinted APs. Each virtual AP has its own VLAN. This provides security and traffic isolation among the different classes of users. Figure 10.85 Three Virtual Access Points on Three VLANs This shows three virtual APs (or profiles) implemented within one physical AP. Each virtual AP has its own VLAN. The router moves traffic between them. HotPoint 5100 AP Guests VLAN 30 Finance VLAN 40 Employees VLAN 20 VLAN-unaware devices Figure 10.85 also shows devices which are not VLAN-aware. These devices must have a VLAN tag added to them by the switch, and the switch port must be configured to do this. Native VLANs, Trunk Ports, and Hybrid Trunk Ports If untagged traffic arrives on a port that has not been configured to assign a tag, the traffic is assigned to a default VLAN, usually referred to as the Native VLAN. Trunk Ports are used to move collections of VLAN traffic from device to device. In Figure 10.85, trunk ports exist between the AP and the switch, and between the switch and the router. These trunks move tagged traffic. They do NOT move untagged traffic. Hybrid ports must be used to carry a mix of tagged and untagged traffic. VLANs Implementing VLANs VLAN implementation on a Firetide mesh should begin by determining the following key parameters of the overall network VLAN implementation. • Are end-point devices VLAN-aware? • Will you need to carry trunked VLAN traffic across the mesh? • Will you need wired ports on the mesh capable of handling both VLAN trunks and untagged traffic? (These are called hybrid ports.) • Is there a management VLAN, and if so what is the VLAN number? • What VLAN number do you wish to assign as the Native VLAN? This number will be used as the tag for untagged traffic. Assigning Port-Based VLANs To cause a port to assign a VLAN tag to incoming traffic, select the VLAN command from the mesh menu. A window will appear, as shown in Figure 10.86. Click on Edit VLAN Interface. A new window will open. Figure 10.86 Window VLAN Creation This window is used to create and modify both port-based VLANs and VLAN trunks. The new window is used to select a node, a port on that node, and a VLAN number. Repeat this for every node and port in the mesh. Figure 10.87 VLAN Port Assignment Window In this example, port 3 of the Southwest node is about to be assigned VLAN number 99. You can add as many VLAN ports as you wish, before clicking on Save. In some cases, a port may need to accept tagged traffic while also assigning a tag to untagged traffic. Additional, secondary VLANS can be added. Figure 10.88 Assignments Multiple VLAN If a port is connected to a VLANaware device and also a non-VLANaware devices, you can configure it to add tags to untagged traffic. In this example, tag 53 will be added to untagged traffic, and the port will accept tagged traffic with a value of 89. 61 64 HotView Pro Software Operation VLAN Trunks A VLAN trunk is simply a connection between two switches that carries multiple VLANs. To create a trunk, select the VLANs command from the Mesh menu, and click on Edit VLAN Trunks... Figure 10.89 Editing VLANs and VLAN Trunks Use this window to view VLANs and VLAN trunks. A VLAN trunk port will only accept tagged traffic. Untagged traffic will be blocked. (If you have untagged traffic as well as tagged traffic, you need to use hybrid ports, covered in a later section.) Figure 10.90 The VLAN Trunk Window Specify the node and port on which trunks will be accepted. VLANs Figure 10.91 VLAN Trunk Configuring a Here, a trunk port has been configured on one node, and second trunk port is about to be set up. Hybrid Ports If your network design requires that you handle both tagged and untagged traffic on a port, you must configure that port as a Hybrid Port. Figure 10.92 Hybrid VLAN Configuration Here, port 2, which is already a trunk port, is being enabled for hybrid VLAN operation. 61 66 HotView Pro Software Operation 67 Appendix A Regulatory Information FCC Class A Notice Aclara devices comply with Part 15 of the FCC Rules. Operation is subject to the following two conditions: • This device may not cause harmful interference. • This device must accept any interference received, including interference that may cause undesired operation. FCC Part 15 Note This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in an office installation. This equipment generates, uses and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the measures shown at right: FCC Part 90 Note Interference Correction • Reorient or relocate the receiving antenna. • Increase the separation between the equipment and receiver. • Connect the equipment into an outlet on a circuit different from that to which the receiver is connected. • Consult the dealer or an experienced radio/television technician for help. This equipment has been tested pursuant to FCC Part 90, DSRC-C mask certification, and is approved for use in the US on Public Safety bands by licensed Public Safety agencies. Public Safety Band Pursuant to Part 90.1215, use of antennas with gain greater than 9 dBi and up to 19 dBi in the 4.940 - 4.990 GHz Public Safety band is permissible without reduction of TX output power. The antenna shall have a directional gain pattern in order to meet the requirement of point to point and point to multi-point operation. Modifications Any modifications made to this device that are not approved by Aclara, Inc. may void the authority granted to the user by the FCC to operate this equipment. FCC Radiation Exposure Statement To ensure compliance with the FCC’s RF exposure limits, the antenna used for this transmitter must be installed to provide a separation distance from all persons. The 5900 must not be co-located or operated in conjunction with any other antenna or transmitter. Installers and end users must follow these installation instructions. Minimum Distances • For the 5900, the distance must be 76 cm. HotView Pro Software Operation Installation Antenna(s) for this unit must be installed by a qualified professional. Operation of the unit with non-approved antennas is a violation of U.S. FCC Rules, Part 15.203(c), Code of Federal Regulations, Title 47. Canadian Compliance Statement This Class A Digital apparatus meets all the requirements of the Canadian Interference-Causing Equipment Regulations. Cet appareil numerique de la classe A respecte les exigences du Reglement sur le material broilleur du Canada. This device complies with Class A Limits of Industry Canada. Operation is subject to the following two conditions: 1. This device may not cause harmful interference, and 2. This device must accept any interference received, including interference that may cause undesired operation. Aclara 5900 Series wireless mesh nodes are certified to the requirements of RSS-210 for 2.4 and 5 GHz spread spectrum devices. The use of this device in a system operating either partially or completely outdoors may require the user to obtain a license for the system according to the Canadian regulations. For further information, contact your local Industry Canada office. Canadian units will not transmit in the 5600-5650 MHz band. Table 11.1 DFS Channels 5260 5280 5300 5320 5500 5520 5540 5560 5580 5600 5620 5640 5660 Yes If > 35 km Yes If > 35 km Yes If > 35 km Yes If > 35 km Yes If > 35 km Yes If > 35 km Yes If > 35 km Yes If > 35 km Yes If > 35 km Banned Banned Banned Yes If > 35 km Channel Avoidance TDWR Restrictions 52 56 60 64 100 104 108 112 116 120 124 128 132 Registration Center Frequency Distance Determination This table shows channels defined as DFS. They are color-coded based on the applicable rule set. Channel 68 Yes Yes Yes Yes Yes Yes Yes Yes Yes DFS Notice Aclara 5900 Series products sold in the US are preset for US frequency bands, channels, and power levels. No country code setting is required, or permitted. This chapter explains how to enable DFS operation when operating in the US, and how to correctly configure DFS channels so as to maintain compliance with FCC regulations and guidelines. No No No No No No No No Yes DFS operation can only be enabled and configured by a DFS-qualified professional installer. Contact Aclara for details. Yes Yes 136 5680 Yes If > 35 km Yes 140 5700 Yes If > 35 km Yes No No OR • The TDWR is operating on a frequency more than 30 MHz different than the equipment. All channels listed in the table must comply with basic DFS rules, including channel avoidance when radar signals are detected. Channels 120, 124, and 128 have been removed from DFS service completely. These channels must not be used in the US anywhere, at any time. They do not appear in channel listing in any Aclara product, and are only listed here for historical reference. Channels 116 and 132 may only be used when certain special rules have been followed. The channels can only be used if either of the following two conditions are met: • The transmitting antenna is more than 35 km from all TDWR stations; 69 Distance You must determine if there are any transmitting elements (i.e., any Aclara product) within 35 km of any TDWR system. Refer to Table 11.2 for a list of TDWR installations in the US. If there are, you should register the installation. Registration A voluntary WISPA-sponsored database has been developed that allows registration of devices within 35 km of any TDWR location (see http:// www.spectrumbridge.com/udia/home.aspx). This database is used by government agencies to expedite resolution of any interference with TDWRs. Channel Avoidance When a radar signature is detected on a channel, transmitters must stop using that channel. The Channel Selection control lets you configure the channels to which the system can switch, and the channels which must be avoided (blacklisted). TDWR-Restricted Additional Requirements Terminal Doppler Weather Radar systems operate in the 5600 MHz band, and must be kept free of interference from all other types of equipment. For this reason, the FCC has removed channels 120, 124, and 128 (5600-5640) from service, and placed additional restrictions on channels 116 (5580 MHz) and 132 (5660 MHz). If you are within 35 km of a TDWR, you may not operate on any channel that is within 30 MHz of the listed TDWR frequency. In some instances it is possible that a device may be within 35 km of multiple TDWRs. In this case the device must ensure that it avoids operation within 30 MHz for each of the TDWRs. This requirement applies even if the master is outside the 35 km radius but communicates with outdoor clients which may be within the 35 km radius of the TDWRs. The requirement for ensuring 30 MHz frequency separation is based on the best information available to date. If interference is not eliminated, a distance limitation based on line-of-sight from TDWR will need to be used. In addition, devices with bandwidths greater than 20 MHz may require greater frequency separation. 70 HotView Pro Software Operation Table 11.2 TDWR Installations This list is current as of August 2011. Elevation and antenna height shown in feet. Refer to www.fcc.gov for the most current version. ST AZ CO FL FL FL FL FL GA IL IL IN KS KY KY LA MA MD MD MD MI MN MO MO MS NC NC NJ NJ NV NY OH OH OH OK OK OK OK PA PR TN TX TX TX TX UT VA WI City Phoenix Denver Ft Lauderdale Miami Orlando Tampa West Palm Beach Atlanta Mccook Crestwood Indianapolis Wichita Covington-Cincinnati Louisville New Orleans Boston Brandywine Benfield Clinton Detroit Minneapolis Kansas City Saint Louis Desoto County Charlotte Raleigh Durham Woodbridge Pennsauken Las Vegas Floyd Bennett Field Dayton Cleveland Columbus Aero. Ctr TDWR #1 Aero. Ctr TDWR #2 Tulsa Oklahoma City Hanover San Juan Nashville Houston Intercontl Pearland Dallas Love Field Lewisville DFW Salt Lake City Leesburg Milwaukee Longitude Latitude W 112 09 46 N 33 25 14 W 104 31 35 N 39 43 39 W 080 20 39 N 26 08 36 W 080 29 28 N 25 45 27 W 081 19 33 N 28 20 37 W 082 31 04 N 27 51 35 W 080 16 23 N 26 41 17 W 084 15 44 N 33 38 48 W 087 51 31 N 41 47 50 W 087 43 47 N 41 39 05 W 086 26 08 N 39 38 14 W 097 26 13 N 37 30 26 W 084 34 48 N 38 53 53 W 085 36 38 N 38 02 45 W 090 24 11 N 30 01 18 W 070 56 01 N 42 09 30 W 076 50 42 N 38 41 43 W 076 37 48 N 39 05 23 W 076 57 43 N 38 45 32 W 083 30 54 N 42 06 40 W 092 55 58 N 44 52 17 W 094 44 31 N 39 29 55 W 090 29 21 N 38 48 20 W 089 59 33 N 34 53 45 W 080 53 06 N 35 20 14 W 078 41 50 N 36 00 07 W 074 16 13 N 40 35 37 W 075 04 12 N 39 56 57 W 115 00 26 N 36 08 37 W 073 52 49 N 40 35 20 W 084 07 23 N 40 01 19 W 082 00 28 N 41 17 23 W 082 42 55 N 40 00 20 W 097 37 31 N 35 24 19 W 097 37 43 N 35 23 34 W 095 49 34 N 36 04 14 W 097 30 36 N 35 16 34 W 080 29 10 N 40 30 05 W 066 10 46 N 18 28 26 W 086 39 42 N 35 58 47 W 095 34 01 N 30 03 54 W 095 14 30 N 29 30 59 W 096 58 06 N 32 55 33 W 096 55 05 N 33 03 53 W 111 55 47 N 40 58 02 W 077 31 46 N 39 05 02 W 088 02 47 N 42 49 10 Latitude and Longitude based on NAD83 datum. Frequency 5610 MHz 5615 MHz 5645 MHz 5605 MHz 5640 MHz 5620 MHz 5615 MHz 5615 MHz 5615 MHz 5645 MHz 5605 MHz 5603 MHz 5610 MHz 5646 MHz 5645 MHz 5610 MHz 5635 MHz 5645 MHz 5615 MHz 5615 MHz 5610 MHz 5605 MHz 5610 MHz 5610 MHz 5608 MHz 5647 MHz 5620 MHz 5610 MHz 5645 MHz 5647 MHz 5640 MHz 5645 MHz 5605 MHz 5610 MHz 5620 MHz 5605 MHz 5603 MHz 5615 MHz 5610 MHz 5605 MHz 5605 MHz 5645 MHz 5608 MHz 5640 MHz 5610 MHz 5605 MHz 5603 MHz Elev 1024 5643 10 72 14 20 962 646 663 751 1270 942 617 151 233 184 249 656 1040 1040 551 371 757 400 19 39 1995 922 817 1037 1285 1293 712 1195 1266 59 722 154 36 541 554 4219 361 820 Ht 64 64 113 113 97 80 113 113 97 113 97 80 97 113 97 113 113 113 97 113 80 64 97 113 113 113 113 113 64 97 97 113 113 80 97 113 64 113 113 97 97 80 80 31 80 113 113 Revision History Revision Date Notes 1.0draft3 2012-02-14 Initial Release
Source Exif Data:
File Type : PDF File Type Extension : pdf MIME Type : application/pdf PDF Version : 1.7 Linearized : Yes Create Date : 2012:02:16 08:49:35-05:00 Creator : Adobe InDesign CS5.5 (7.5.2) Modify Date : 2012:02:16 08:49:51-05:00 XMP Toolkit : Adobe XMP Core 5.2-c001 63.139439, 2010/09/27-13:37:26 Metadata Date : 2012:02:16 08:49:51-05:00 Creator Tool : Adobe InDesign CS5.5 (7.5.2) Format : application/pdf Document ID : uuid:e1365cad-0400-41e1-a417-69bd0766fd8e Instance ID : uuid:d9098406-641f-4c1b-92d5-6def827e8abe Producer : Adobe PDF Library 9.9 Page Count : 36EXIF Metadata provided by EXIF.tools